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(54) RF based theft deterrent system and method 

(57) A remote function actuator (RFA) is operated 
by a portable transmitter to unlock vehicle doors, etc. 
and uses an encryption algorithm to verify that a trans- 
mitted security code is authentic. The RFA is coupled by 
a serial data link to the vehicle radio, powertrain control 
module (PCM), and air bag diagnostic and control mod- 
ule (SDM) to forward a verified code to those modules 
which independently verify the code. If a module has 



been stolen from another vehicle it cannot verify the 
code and its operation is disabled or impaired. The SDM 
is coupled by a data link to an airbag module and a ver- 
ified code is sent to and stored in the airbag module. 
Upon ignition activation the stored code is compared to 
that in the SDM and if they do not match an error code 
is set. 
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Description 

Technical Field 

This invention relates to a radio frequency based 5 
theft deterrent method and system and particularly to 
the security of electronic modules in vehicles. 

Background of the Invention 

10 

Personal-size remote control transmitters are 
widely used to provide a convenient method of locking 
or unlocking vehicles, and/or to remotely arm or disarm 
vehicle theft deterrent systems. They are also used to 
control home/business security systems and garage is 
door openers. 

Message authentication using cryptographic tech- 
niques is a good method for preventing spoofing and 
playback attacks. The U.S. Patent 5,506,905 to 
Markowski et al entitled "AUTHENTICATION METHOD 20 
FOR KEYLESS ENTRY SYSTEM", which is incorpo- 
rated herein by reference, is an example of an improved 
system of that type which produces very secure authen- 
ticated messages requiring a short transmission time to 
economize battery life in a personal transmitter. Such a 25 
keyless entry system fa a motor vehicle, as shown in 
Figure 1 , includes a number of portable remote controls 
or fobs 10 small enough to carry in one's pocket or on a 
key chain. Each fob 10 has buttons 12 for manual selec- 
tion of desired functions to be performed in the vehicle, 30 
a microprocessor 14 responsive to button actuation for 
formulating a command message, including an authen- 
ticator code and a function code identifying the desired 
function to be performed, and a radio transmitter 16 for 
transmitting the message. The fob 1 0 functions are sup - 35 
ported by a miniature battery 17 which should have a 
life of several years. In the vehicle a receiver 18 receives 
the transmitted message, if the vehicle is within the 
transmitter range, and a microprocessor 20 acts upon 
data in the received message to determine whether thg 40 
authenticator code is valid, and it so, to perform the 
desired function. The receiver and microprocessor are 
part of a remote function actuator 24 (RFA) which 
responds to the message to lock or unlock doors, open 
the trunk, etc. 45 

Each microprocessor 14 and 20 is programmed to 
execute a cryptographic algorithm which operates on 
certain stored and/or transmitted data, as well as on a 
selected function code to generate an authentication 
code which is different for every transmission, thus pre- 50 
venting successful replay of a previously transmitted 
message. The authentication code is sufficiently short 
to be transmitted economically but the generation pro- 
cedure has a complexity that renders rl impractical for 
an adversary to predict the next valid code based on 55 
knowledge of previously transmitted messages. The 
procedure for message validation is first to compare the 
transmitter ID with IDs stored in the receiver memory, 



and if an ID match is found, then for the algorithm in the 
microprocessor to operate on a combination of shared 
secret data and transmitted data to produce authentica- 
tion codes, and to determine that the command is valid 
if the codes are the same. 

Two mechanisms are jointly used to assure that the 
authentication code changes in an unpredictable man- 
ner. First, the algorithm operates on a seed code which 
is changed according to a set of rules for each transmis- 
sion. A sequence number is also incremented with each 
transmission and is included in the message so that the 
receiver algorithm will know how many seed code 
changes to execute in order to resynchronize with the 
transmitter since the receiver does not necessarily 
receive each transmission. Second, the authenticator 
code is generated as a function of the seed code and 
the cryptographic key as well as the desired function 
code. Since for each transmission the function code 
depends on which button the operator selects, another 
level of complexity is added to the authenticator code 
generation to confound attempts to determine a predict- 
able progression of codes, all as described in the U.S. 
patent 5,506,905. 

In manufacture, the microprocessors of both the 
transmitter and the receiver are equipped with the same 
cryptographic engine to thereby calculate the same 
authenticator, given common input information. Each 
transmitter is permanently programmed with a crypto- 
graphic key, an initial seed, and an ID number. When a 
receiver is first matched with one or more transmitters, it 
miist learn those three codes. This is accomplished by 
enabling the program switch 22 on the receiver and 
actuating the transmitter to send a program message 
containing these codes. The transmitter is typically 
actuated in this case by pressing two buttons simultane- 
ously. The program message is shown in Figure 2. It 
includes a preamble which indicates the start of a mes- 
sage, the transmitter ID, the initial seed, the crypto- 
graphic key and a CRC. The CRC (cyclic redundancy 
code) is calculated from all the other field data. 

During use, a normal command is generated by 
pressing one transmitter button and a message is trans- 
mitted in the form shown in Figure 3 including a pream- 
ble, a function code, the transmitter ID, a sequence 
number, an authenticator, and a CRC. If the transmitter 
normal message is sent a few times when the receiver 
is out of range, the receiver loses synchronization with 
the transmitter but can catch up by using the sequence 
number to resynchronize. If the receiver lags in 
sequence by a given amount such as 264 sequence 
numbers, it cannot automatically resynchronize. Then it 
is necessary to transmit a Resynch command which is 
like the normal command of Figure 3 except that a ran- 
domly selected sequence number is used. When the 
Resynch command is given, the initial seed is used 
along with the new sequence number to determine the 
authenticator in both the transmitter and the receiver. 

This theft deterrent system effectively maintains 
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vehicle doors locked if the user locks the doors. How- 
ever if a door is left unlocked or entry is gained by force, 
the electronic components such as a radio, air bags 
modules or power train control modules are subject to 
theft. It is here proposed to extend the theft deterrent 5 
system to individual modules. 

Summary of the Invention 

It is therefore an object of the invention to deter theft 10 
of electronic modules from vehicles by employing radio 
frequency based secure messages to enable module 
operation. 

A remote function actuator (RFA) is linked by a 
radio frequency (RF) signal to a remote, transmitter or 15 
fob and is also connected to a serial data link. When the 
RFA determines that a valid authenticator or cipher 
value is received from the transmitter, it applies the 
cipher value along with the sequence number to the 
data link. The electronic modules of a vehicle such as a 20 
radio, power train control module (PCM) and a sensing 
and diagnostic module (SDM) for airbags are also cou- 
pled to the data link and are equipped with the same 
type of encryption engine as the RFA for independent 
evaluation of the message. Thus the seed value stored 25 
in each module must agree with that of the transmitter 
and RFA for the module to verify the cipher value. Nor- 
mally there is agreement but if the module were stolen 
from another vehicle, the seed value would be different 
so that the module would fail to verify, the. cipher value 30 
and would set an error code .The .error-code may be 
used to disable the module or to light a_te.lt tale lamp .v , 

Brief Descri ption of the Drawings . 

The present invention will now be described; by way. 
of example, with reference to the accompanying draw- 
ings, in which :- 

Figure 1 is a block diagram of a keyless entry sys- 40 

tern according to the prior art; 

Figure 2 is an illustration of message structure for 

programming according to the prior art; ; 

Figure 3 is an illustration of message structure for. 

normal messages according to the prior art; 45 

Figure 4 is a block diagram of a theft deterrent svst 

tern according to the invention; and j 

Figures 5 and 6 are flow charts representing the 

operation of the system according to the invention. 

' 1- . , • • v 50 

Description of the Preferred Embodiment 

The ensuing description is directed to a theft deter- 
rent system and method based on the rolling code 
encryption algorithm described in the above identified 55 
U.S. patent 5,506,905. One variant from that algorithm 
is that the function code is not used in the calculation of 
the authenticator or cipher value. It will be understood 
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that the invention applies equally well to systems using 
either form of the algorithm and, for that matter, to other 
encryption algorithms. 

Referring to Figure 4, the theft deterrent system 
includes an RFA 24 and a key fob transmitter like those 
of Figure 1 , and a serial data bus 26 coupled to the RFA 
24, a PCM 28, a radio 30 and an SDM 32. The SDM 32 
in turn is connected by a data link 34 to an airbag mod- 
ule 36. Battery power is connected to the RFA, the 
PCM, the SDM and the radio either directly or via an 
ignition line. Where there is no direct connection either 
to the battery or to the ignition information regarding the 
ignition state or whether the battery has been discon- 
nected can be supplied by the RFA over the data link. 
The modules 24-32 each contain a microprocessor 20 
embodying the same type of encryption engine as the 
transmitter so that transmitted messages may be inter- 
preted in the same manner by each unit. 

In operation, when the RFA receives a transmitted 
message containing a sequence number and an 
authenticator or cipher value, it verifies that the cipher 
value is correct and transmits it with the sequence 
number via the data bus 26 to the PCM; the radio and 
the SDM. Normally each of the latter units independ- 
ently verifies that the cipher value is correct and enables 
normal operation of the respective module. If the cipher 
value is found to be incorrect, that module would be dis- 
abled or a telltale will be illuminated. 

, .The flow charts of Figure 5 and 6 illustrate- the 
method of operation; The functional description of each 
block in the charts is accompanied by a number in angle 
brackets < nn ) which • corresponds to " the ■;: reference 
number, of the block; The operation, i s the same for the 
radio and the PCM and' is shown in Figure 5. The micro- 
processor 20 periodically examines the ignition and bat- 
tery connection status. If the ignition is on <40 > and the 
battery power has been interrupted < 42 K an error code 
is set <44). Next it is determined whether the cipher 
value and sequence number have been received (46) . 
The data is evaluated by the cryptographic engine and if 
it is verified as correct- < 48) the seed values -and 
sequence number are updated in the microprocessor 
memory (50) and the error code is cleared ( 52 h: If the 
data is not verified, the error code remains in effect. The 
error code may be used to disable the unit or to light a 
tell-tale indicating a problem. 

. The. SDM and airbag modules present a special 
case. Since the SDM is generally installed in a location 
where: it, is difficult to steal; it is: not disabled by an error 
code but it is used to protect the airbag module which is 
vulnerable. When the. SDM receives and verifies a cor- 
rect; cipher : value it stores the cipher value- and 
sequence number and also transmits them to the airbag 
module where they are stored. Each time the ignition is 
activated the stored numbers are compared to deter- 
mine whether they remain the same; if not, the air bag 
module is disabled or a tell-tale is illuminated. In addi- 
tion, if the stored numbers do not match, updating to 
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new numbers is not permitted. As shown in Figure 6,[ 
(54>.. Then] the SDM determines whether the 
sequence number and cipher value have been received 
< 56 ) and if so whether the cipher value is correct < 58 > . 
If it is correct the data is stored in the SDM memory 
<60). The SDM then retrieves numbers previously 
stored in the airbag module ( 62 ) and compares them to 
prior data stored in the SDM ( 64 ) . If they match, updat- 
ing the stored numbers is permitted by transmitting the 
new data to the airbag module for storage in the airbag 
memory <66>. When the ignition is activated < 68) the 
previous data stored in the airbag memory is transmit- 
ted to the SDM and compared, as in step 64, to the cor- 
responding previous data stored in the SDM < 70 ) . If the 
data does not match, an error code is set < 72 > . 

Whenever an error code is set, the affected module 
is either disabled or a tell-tale is illuminated as a matter 
of design choice- 
It will be seen that the invention permits detection of 
stolen modules when there is an attempt to operate 
them in another vehicle, thereby discouraging such 
theft. The system requires connection of the modules 
and the RFA to a data bus (in some vehicles such mod- 
ules are already connected to a bus) and the microproc- 
essors controlling the modules will have software 
changes to carry out the method. 

Claims 

1 . A theft deterrent system for electronic modules in a 
vehicle comprising: 

a remote function actuator (RFA) coupled to a 
data link; 

the RFA having a radio frequency link with a 
portable transmitter and actuated by data 
including a cipher value transmitted by the 
transmitter to apply the data to the data link 
when a correct cipher value is received; 
at least one electronic module coupled to the 
RFA by the data link for receiving the data 
when applied to the link and independently ver- 
ifying the cipher value; and 
means within each module effective when vehi- 
cle ignition is activated for enabling normal 
module operation when the cipher value is ver- 
ified. 

2. The system as defined in claim 1 wherein the 
means within each module produces an error code 
when the cipher value issued by the RFA is not ver- 
ified by the respective module. 

3. The system as defined in claim 1 wherein: 

each of the transmitter, RFA and modules con- 
tain a microprocessor programmed to execute 
a rolling code algorithm to determine a valid 



cipher value based on a sequence number in 
the transmitted data and a seed value. 

4. The system as defined in claim 3 wherein one of the 
5 modules comprises a radio and wherein: 

the radio includes means for disabling radio 
operation when battery power is disconnected 
from the radio and for enabling operation when 
10 a cipher value and sequence number are 

received. 

5. The system as defined in claim 1 wherein one of the 
modules comprises a sensing and diagnostic mod- 

15 ule (SDM) for an airbag which in turn is connected 
by a serial link to an airbag module and wherein: 

the SDM has a microprocessor programmed to 

verify a cipher value using a rolling code algo- 
20 rithm and for storing the verified cipher value 

cipher value and transferring the verified cipher 

value to the airbag module; 

the airbag module has means for storing the 

verified cipher value and for transmitting the 
25 verified cipher value to the SDM when ignition 

is activated; and 

the SDM includes means for setting an error 
code when the cipher value stored in the airbag 
module does not match the cipher value stored 
30 in the SDM. 

6.i' The system, as defined in claim 1 wherein each 
module includes means for setting an error code 
when battery power is removed from the module 
35 and for removing the error code when a valid cipher 
value is received from the transmitter. 

7. A method of deterring theft of electronic modules 
from vehicles equipped with a remote function actu- 
40 ator (RFA) activated by digital data from a remote 
portable transmitter and coupled to the modules by 
a data bus comprising the steps of: 

programming each of the transmitter, the RFA 
45 and the modules with an encryption algorithm 

and with seed values peculiar to a specific vehi- 
cle to enable the RFA and the modules to rec- 
ognize a cipher value sent by the transmitter; 
sending a cipher value from the transmitter to 
50 the RFA; 

verifying the cipher value by the RFA and send- 
ing the cipher value to each module via the 
data bus; 

verifying the cipher value by each module, ena- 
55 bling module operation when the cipher value 

is verified and setting an error code when the 
cipher value is not verified. 
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8. 



The method as defined in claim 7 including the 
steps of: 



disabling module operation when an error code 
is set; and 

enabling module operation when a valid cipher 
value is received. 
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9. 



The method as defined in claim 7 including the 
steps of: 



w 



when battery power is removed from a module 
setting an error code in the module; and 
removing the error code to enable module 
operation when a valid cipher value is received is 
and battery power is restored. 

10. The method as defined in claim 7 wherein one of 
the modules comprises a sensing and diagnostic 
module (SDM) for an airbag which in turn is con- 20 
nected by a serial link to an airbag module including 
the steps of: 

verifying the cipher value in the SDM; 
storing the cipher value in the SDM and send- 25 
ing the cipher value to the airbag module; 
storing the cipher value in the airbag module; 
comparing the cipher value stored in the airbag 
module with the value stored in the SDM when 
vehicle ignition is activated; And 30 
setting an error code when the cipher value 
stored in the airbag module does not match the 
cipher value stored in the SDM; 
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(54) RF based theft deterrent system and method 

(57) A remote function actuator (RFA) is operated 
by a portable transmitter to unlock vehicle doors, etc. 
and uses an encryption algorithm to verify that a trans- 
mitted security code is authentic. The RFA is coupled by 
a serial data link to the vehicle radio, powertrain control 
module (PCM), and air bag diagnostic and control mod- 
ule (SDM) to forward a verified code to those modules 
which independently verify the code. If a module has 



been stolen from another vehicle it cannot verify the 
code and its operation is disabled or impaired. The SDM 
is coupled by a data link to an airbag module and a ver- 
ified code is sent to and stored in the airbag module. 
Upon ignition activation the stored code is compared to 
that in the SDM and if they do not match an error code 
is set. 




CL 
LU 



Printed by Xerox (UK) Business Services 
2.16.7 (HRS)/3.6 



BNSDCCID: <EP 08S7497A3_I_> 



Cr V OOf MO 



European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 98 20 1624 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Citation of document with indication, where appropriate, 
of relevant passages 



Relevant 
to claim 



CLASSIFICATION OF THE 
APPLICATION (lntCI.6) 



A,D 



EP 0 767 087 A ( FORD WERKE AG ;F0RD FRANCE 
(FR); FORD MOTOR CO (GB)) 
9 April 1997 (1997-04-09) 

* abstract; figure 1 * 

* column 3, line 38 - line 43 * 

* column 4, line 51 - column 6, line 54 * 

* column 7, line 12 - line 42 * 

* column 8, line 46 - line 55 * 



WO 93 05987 A (FORD MOTOR CANADA ;F0RD 
WERKE AG (DE); FORD FRANCE (FR); FORD 
M0T0) 1 April 1993 (1993-04-01) 

* abstract; figures * 

* page 2, line 31 - page 3, line 22 * 

* page 4, line 33 - page 5, line 10 * 

* page 5, line 36 - page 6, line 17 * 

* page 7, line 9 - page 8, line 11 * 

* page 9, line 14 - line 36 * 

* page 11, line 6 - Hne 7 * 

US 5 506 905 A (BIANCO MARK E ET AL) 
9 April 1996 (1996-04-09) 

* abstract; ; figures 1-4 * 

* column 3, ; line 46 - column 5, Hne 51 * 



2-4,6-9 
2-4,6-9 



DE 195 26 542 A (VD0 SCHINDLING) 
23 January 1997 (1997-01-23) 

* abstract; claims; figure * 

* column 1, Hne 25 - column 2, line 63 * 

GB 2 296 804 A (JANSON NIGEL) 
10 July 1996 (1996-07-10) 

* abstract; claims; figure 1 * 

* page 3, Hne 6 - page 5, line 7 * 

* page 6, Hne 17 - page 7, Hne 10 * 

* page 11, Hne 3 - Hne 9 * 
16, paragraph 1 * 



4,7 



1,5,7,10 



1,3,7 



page 



The present search report has been drawn up for an claims 



E05B49/00 
B60R25/04 
B60R11/02 



TECHNICAL FIELDS 
SEARCHED (lnLCI.6) 



B60R 



THE HAGUE 



.. .» Date of oomplstim of the search 

16 February 2001 



Buron, E 



CATEGORY OF CITED DOCUMENTS 

X : particularly relevant if taken aJone 

Y : parHcuterty relevant If combined wflh another 

document of the same category ,.- 
A : technological background 
O : non-written disclosure •. 
P : intermediate documenl 



T : theory or principle underlying the Invention 
E : earlier patent document, but published on, or 

after the fling date 
D : document cted hi the application 
L : document cted lor other reasons 



& : member of the same patent family, corresponding 
document 



EP 0 887 497 A3 



European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 98 20 1624 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Citation of document with indication, where appropriate. 

oj relevant passages 



Relevant 
to claim 



CLASSIFICATION OF THE 
APPLICATION (lnt.CI.6) 



EP 0 765 983 A (SUZUKI MOTOR CO) 

2 April 1997 (1997-04-02) 

* abstract; claims 4-8; figures 4,7-10 * 



TECHNICAL FIELDS 
SEARCHED (lnt.Ct.6) 



The present search report has been drawn up. for all claims 



Race of search 

THE HAGUE 



-.■ Data of completion Gt the aaaroh 

16 -February 2001 



Examiner 

Buron,. E 



CATEGORY OF CITED DOCUMENTS 



X : particularly relevant If taken alone 

Y : particularly relevant ft combined with another 

document of the same category 
A : technotoglcaJ background 
O : non -written disclosure 
P : intermediate document 



T : theory or principle underlying the Invention 
E : earlier patent document, but published on, or 

after the filing date 
D : document cited in (the application 
L : document cited lor other reasons 

i : member of the same patent family, corrospcodng 



3 



BNSDOCID: <EP 0887497A3_I_> 

\ 



V 



EP 0 887 497 A3 



ANNEX TO THE EUROPEAN SEARCH REPORT 
ON EUROPEAN PATENT APPLICATION NO. 



EP 98 20 1624 



This annex lists the patent family members relating to the patent documents cited in the above-mentioned European search report 
The members are as contained in the European Patent Office EDP file on 

The European Patent Office is in no way liable tor these particulars which are merely given for the purpose of information. 

16-02-2001 



Patent document 
cited in search report 



Publication 
date 



Patent family 
member(s) 



Publication 
date 



EP 


0767087 


A 


09-04- 


-1997 


GB 


2306029 A 


23-04-1997 












DE 


69608197 D 


15-06-2000 












DE 


69608197 T 


05-10-2000 












US 


6140935 A 


31-10-2000 


WO 


9305987 


A 


01-04- 


-1993 


DE 


69216644 D 


20-02-1997 












DE 


69216644 T 


24-04-1997 












EP 


0682608 A 


22-11-1995 


US 


5506905 


A 


09-04- 


-1996 


US 


5767784 A 


16-06-1998 


DE 


19526542 


A 


23-01- 


-1997 


NONE 






GB 


2296804 


A 


10-07- 


•1996 


NONE 






EP 


0765983 


A 


02-04- 


•1997 


JP 


9095211 A 


08-04-1997 












JP 


9095208 A 


08-04-1997 












JP 


9095212 A 


08-04-1997 












JP 


9095214 A 


08-04-1997 












JP 


9095215 A 


08-04-1997 












HU 


9602688 A 


30-06-1997 












US 


5796179 A 


18-08-1998 



i For more details about this annex : see Official Journal of the European Patent Office, No. 12/82 



BNSDOCID: <6P 0887497A3J_> 



